[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Establishing mutual TLS with Kamailio
Author Message
marco.capetta Offline
Junior Member
**

Posts: 6
Joined: Nov 2014
Reputation: 0
Post: #1
Establishing mutual TLS with Kamailio
I have a Yealink T32G phone with firmware 32.70.23.6
I am trying to configure the phone in TLS with Kamailio proxy.
I was able to successfully configure TLS authentication by entering the CA of my Kamailio server in the Trusted Certificates of Yealink phone.
Now I would like to switch to mutual TLS. To do this I would need to have the Yealink CA that has trusted the phone pre-installed certificate.
Where can I download this Certificate Authority?

Thanks
Marco
11-07-2014 07:19 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
James_Yealink Offline
Administrator
*******

Posts: 1,159
Joined: Aug 2014
Reputation: 8
Post: #2
RE: Establishing mutual TLS with Kamailio
Hi Macro,

I attach the certificate please check.

Regards,
James


Attached File(s)
.zip  Yealink Equipment Issuing CA.zip (Size: 1.82 KB / Downloads: 20)
11-07-2014 07:39 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
marco.capetta Offline
Junior Member
**

Posts: 6
Joined: Nov 2014
Reputation: 0
Post: #3
RE: Establishing mutual TLS with Kamailio
Thanks for the quick response.

I imported the certificate that you have kindly provided me, but I still have connection problems.
It seems that the Yealink phone does not provide to the server its certificate during the TLS handshake, in fact I get the following error from the Kamailio logs:
"ERROR: tls [tls_server.c 1186]: tls_read_f (): TLS accept: error: 140890C7: SSL routines: SSL3_GET_CLIENT_CERTIFICATE: peer did not return a certificate".

I tried to export the phone certificate from phone HTTPS web interface, and I get the certificate that you can find attached.
If I try to verify this certificate using the CA you provided me, I get the error:
"error 20 at 0 depth lookup: unable to get local issuer certificate"

I must also import some intermediate CA?
Do I need to set something in particular on the phone?

Thanks again
Marco


Attached File(s)
.zip  yealink_phone.zip (Size: 1.03 KB / Downloads: 7)
11-07-2014 09:59 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
marco.capetta Offline
Junior Member
**

Posts: 6
Joined: Nov 2014
Reputation: 0
Post: #4
RE: Establishing mutual TLS with Kamailio
Is there any update on this?

Thanks
Marco
11-14-2014 06:16 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
James_Yealink Offline
Administrator
*******

Posts: 1,159
Joined: Aug 2014
Reputation: 8
Post: #5
RE: Establishing mutual TLS with Kamailio
Hi Macro,

Sorry for the late.
The error occurs when you register through TLS or do an autoprovision through HTTPS?
Can you set phone syslog to 6, reproduce the issue then send the log to us?

Regards,
James
11-14-2014 07:45 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
marco.capetta Offline
Junior Member
**

Posts: 6
Joined: Nov 2014
Reputation: 0
Post: #6
RE: Establishing mutual TLS with Kamailio
Hi James,

I was able to successfully configure TLS authentication by entering the CA of my Kamailio server in the Trusted Certificates of Yealink phones.

The error occurs instead when I try to switch to mutual TLS.

As you requested, I am attaching the export syslog at level 6.

Regards,
Marco


Attached File(s)
.tar  Yealink_syslog.tar (Size: 79 KB / Downloads: 1)
11-18-2014 12:08 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
marco.capetta Offline
Junior Member
**

Posts: 6
Joined: Nov 2014
Reputation: 0
Post: #7
RE: Establishing mutual TLS with Kamailio
Is there any update on this?

Thanks
Marco
12-02-2014 12:54 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
James_Yealink Offline
Administrator
*******

Posts: 1,159
Joined: Aug 2014
Reputation: 8
Post: #8
RE: Establishing mutual TLS with Kamailio
Hi Marco,

From the syslog it seems that phone can't read the client certificate. Please make sure that the "Device Certificate" is set to "Default Certificate" under Security-> Server Certificate.

If the default certificate doesn't work either. Can you generate a new Server certificate and Client certificate and import them to server/phone then check again?

Regards,
James
12-02-2014 05:28 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
marco.capetta Offline
Junior Member
**

Posts: 6
Joined: Nov 2014
Reputation: 0
Post: #9
RE: Establishing mutual TLS with Kamailio
In the phone's web interface there is not the parameter "Device Certificate" under "Security -> Server Certificate" (see attached screenshot).

I want you to remember that currently the phone has firmware "32.70.X".
This version supports device certificates? Or is needed version "32.71.X" or "32.72.X"?
In the latter case, where can I find these firmware?

Thanks again of the support.
Marco


Attached File(s) Thumbnail(s)
   
12-02-2014 07:06 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
James_Yealink Offline
Administrator
*******

Posts: 1,159
Joined: Aug 2014
Reputation: 8
Post: #10
RE: Establishing mutual TLS with Kamailio
Macro,

Please import this certificate under Security-> Server Certificate and check again.

The firmware may not have a built-in client certificate.

Regard,
James


Attached File(s)
.tar  WebServer.tar (Size: 7 KB / Downloads: 16)
12-03-2014 01:58 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread:

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication